IBM z/OS UNIX security parameters in /etc/rc must be properly specified.

An XCCDF Rule

Description

Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.

ID: SV-223618r958472_rule
Version: ACF2-US-000030
Severity: Medium
References: CCI-000213
Updated: about 2 months ago

Remediation Templates

Review the settings in the /etc/rc. The /etc/rcfile is the system initialization shell script. When z/OS UNIX kernel services start, /etc/rc is executed to set file permissions and ownership for dynamic system files and to perform other system startup functions such as starting daemons. There can be many commands in /etc/rc. 

There are two specific guidelines that must be followed:
-Verify that the CHMOD or CHAUDIT command does not result in less restrictive security than what is specified in the table below.
-Immediately prior to each command that starts a daemon, the _BPX_JOBNAME variable must be set to match the daemon's name (e.g., inetd, syslogd). The use of _BPX_USERID is at the site's discretion, but is recommended.
Directory    Permission Bits    User Audit Bits    Function
/ [root]     755                faf                Root level of all file systems. Holds critical mount points.
/bin         1755               fff                Shell scripts and executables for basic functions
/dev         1755               fff                Character-special files used when logging into the OMVS shell and during C language program compilation. Files are created during system IPL and on a per-demand basis.
/etc         1755               faf               Configuration programs and files (usually with locally customized data) used by z/OS UNIX and other product initialization processes
/lib         1755               fff                System libraries including dynamic link libraries and files for static linking
/samples     1755               fff                Sample configuration and other files
/tmp         1777               fff                Temporary data used by daemons, servers, and users. Note: /tmp must have the sticky bit on to restrict file renames and deletions.
/u           1755               fff                Mount point for user home directories and optionally for third-party software and other local site files
/usr         1755               fff                Shell scripts, executables, help (man) files and other data. Contains sub-directories (e.g., lpp) and mount points used by program products that may be in separate file systems.
/var         1775               fff                Dynamic data used internally by products and by elements and features of z/OS UNIX.

IBM z/OS UNIX security parameters in /etc/rc must be properly specified.

Description

Remediation Templates

A Manual Procedure